In general, an investigation according to this model proceeds in a “waterfall” fashion with activities following each other in sequence. However, it is possible that an activity may require changes to the results of a previous activity or additional work in that activity, so the sequence of activities shown in the model allows backtracking. In fact, it is to be expected that there will be several iterations of some parts of the investigation. In particular, the examination-hypothesis-presentation-proof/defense sequence of activities will usually be repeated a number of times, probably with increasingly complex hypotheses and stronger challenges to them at each iteration as the understanding of the evidence grows.

The major information flows during the investigation are also shown in Figure1. Information about the investigation flows from one activity to the next all the way through the investigation process. For example, the chain of custody is formed by the list of those who have handled a piece of evidence and must pass from one stage to the next with names being added at each step. There are also flows to/from other parts of the organization, and to/from external entities. The information flows are discussed in more detail below.

A number of information flows are shown in the model. First, there is a flow of information within the investigating organization from one activity to the next. This may be within a single group of investigators or between different groups, e.g. when evidence is passed to a specialist forensic laboratory for examination. This flow of information is the most important in the course of the investigation, but may not be formalized because it is within the organization, usually within a single investigating team. However, there are benefits to be obtained by considering this information explicitly. By doing so, support can be provided in the form of automated procedures and tools, e.g. case management tools.

However, before the investigation can begin there is a need for information to come to the investigators, creating the awareness that an investigation is needed. Obtaining authorization for the investigation involves further information flows to and from the appropriate authorities, e.g. obtaining legal authorization for a search to commit resources to investigating an attack.

The planning activity involves several information flows to the investigating team. There will be the investigating organization’s internal policies which must be followed by the investigators. Other information will be drawn in by the investigators to support their work, e.g. technical data on the environment in which they will be working.

If appropriate to the type of investigation, the notification activity will result in a flow of information to the subject of the investigation; e.g. in civil legal proceedings there will be requests for the disclosure of documents. This information will be subject to controls such as the policies of the investigating organization.

When the hypothesis based on the evidence must be justified and defended in the proof/defense activity, information will flow into the investigating team from within their organization and especially from outside (e.g. challenges to evidence presented in court).
When the investigation concludes (whether the outcome is successful from the investigators’ point of view or not) there will be information flows as the results are disseminated. These flows are again subject to controls; e.g. names may have to be withheld, or certain technical details may not be made known immediately to allow solutions to problems to be implemented. The information produced by the investigators may influence internal policies of the organization, as well as becoming inputs to future investigations. It may also be passed through an organization’s information distribution function to become available to other investigators outside the organization, e.g. in the form of a published case study used for training investigators, or as a security advisory to system administrators.

At all times during the investigation, information may flow in and out of the organization in response to the needs of the investigators. These general information flows are subject to the information controls put in place by the investigating organization.